Re: Wheezy update of python-django?

Brian May Mon, 01 Aug 2016 03:09:03 -0700

Brian May <b...@debian.org> writes:

> In any case I am looking at doing this now, will start off without
> git. If there is any demand I can move things across (including prior
> revisions) to git later.


Attached is my current patch. It only includes changes to
debian/*. Still needs more work. In particular, I think the
CVE-2016-2513.diff patch is needed; didn't apply it yet as one hunk
conflicts, will look into this now.

Need to double check that all the other patches really are not required.
-- 
Brian May <b...@debian.org>

diff -Nru python-django-1.4.5/debian/changelog python-django-1.4.22/debian/changelog
--- python-django-1.4.5/debian/changelog	2016-03-26 00:39:46.000000000 +1100
+++ python-django-1.4.22/debian/changelog	2016-08-01 07:59:10.000000000 +1000
@@ -1,3 +1,10 @@
+python-django (1.4.22-1) UNRELEASED; urgency=medium
+
+  * New upstream release
+  * Update wheezy to latest version in 1.4.x series.
+
+ -- Brian May <b...@debian.org>  Mon, 01 Aug 2016 07:58:39 +1000
+
 python-django (1.4.5-1+deb7u16) wheezy-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru python-django-1.4.5/debian/patches/CVE-2016-2512.diff python-django-1.4.22/debian/patches/CVE-2016-2512.diff
--- python-django-1.4.5/debian/patches/CVE-2016-2512.diff	2016-03-26 00:39:46.000000000 +1100
+++ python-django-1.4.22/debian/patches/CVE-2016-2512.diff	2016-08-01 08:00:51.000000000 +1000
@@ -14,7 +14,7 @@
 
 --- a/django/utils/http.py
 +++ b/django/utils/http.py
-@@ -237,8 +237,12 @@ def is_safe_url(url, host=None):
+@@ -237,8 +237,12 @@
          url = url.strip()
      if not url:
          return False
@@ -31,7 +31,7 @@
      if url.startswith('///'):
 --- a/django/contrib/auth/tests/views.py
 +++ b/django/contrib/auth/tests/views.py
-@@ -312,7 +312,12 @@ class LoginTest(AuthViewsTestCase):
+@@ -312,7 +312,12 @@
                          'ftp://exampel.com',
                          '///example.com',
                          '//example.com',
@@ -45,7 +45,7 @@
  
              nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
                  'url': login_url,
-@@ -335,6 +340,7 @@ class LoginTest(AuthViewsTestCase):
+@@ -335,6 +340,7 @@
                           'https://testserver/',
                           'HTTPS://testserver/',
                           '//testserver/',
diff -Nru python-django-1.4.5/debian/patches/CVE-2016-2512-regression.diff python-django-1.4.22/debian/patches/CVE-2016-2512-regression.diff
--- python-django-1.4.5/debian/patches/CVE-2016-2512-regression.diff	2016-03-26 00:39:46.000000000 +1100
+++ python-django-1.4.22/debian/patches/CVE-2016-2512-regression.diff	2016-08-01 08:00:52.000000000 +1000
@@ -10,7 +10,7 @@
 
 --- a/django/utils/http.py
 +++ b/django/utils/http.py
-@@ -8,7 +8,7 @@ import unicodedata
+@@ -8,7 +8,7 @@
  from email.utils import formatdate
  
  from django.utils.datastructures import MultiValueDict
@@ -19,7 +19,7 @@
  from django.utils.functional import allow_lazy
  
  ETAG_MATCH = re.compile(r'(?:W/)?"((?:\\.|[^"])*)"')
-@@ -237,6 +237,10 @@ def is_safe_url(url, host=None):
+@@ -237,6 +237,10 @@
          url = url.strip()
      if not url:
          return False
@@ -38,7 +38,7 @@
  import sys
  
  from django.utils import http
-@@ -111,3 +113,12 @@ class TestUtilsHttp(unittest.TestCase):
+@@ -111,3 +113,12 @@
                       '//testserver/',
                       '/url%20with%20spaces/'):
              self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
diff -Nru python-django-1.4.5/debian/patches/series python-django-1.4.22/debian/patches/series
--- python-django-1.4.5/debian/patches/series	2016-03-26 00:39:46.000000000 +1100
+++ python-django-1.4.22/debian/patches/series	2016-08-01 19:39:36.000000000 +1000
@@ -1,32 +1,8 @@
 02_disable-sources-in-sphinxdoc.diff
 03_manpage.diff
 06_use_debian_geoip_database_as_default.diff
-is_safe_url-1.4.diff
 uri-fix.diff
-ssi-tag-1.4.diff
-password-dos.diff
-password-2.5-compat.diff
-reverse-execution-1.4.x.patch
-cache-csrf-1.4.x.patch
-mysql-typecast-1.4.x.diff
-2601.patch
-is_safe_url_1_4.diff
-drop_fix_ie_for_vary_1_4.diff
-FTBFS-exception-in-servers-tests-tear-down.patch
-admin-data-leak-1.4.diff
-file-upload-1.4.diff
-remote-user-1.4.diff
-reverse-1.4.diff
-CVE-2015-0219.diff
-CVE-2015-0219-fix.diff
-CVE-2015-0220.diff
-CVE-2015-0221.diff
-CVE-2015-0221-regression-fix.diff
-CVE-2015-2317.diff
-session-1.4.x.diff
-newlines-1.4.x.diff
-session-store-1.4.x.diff
 date-leak-1.4.x.diff
 CVE-2016-2512.diff
 CVE-2016-2512-regression.diff
-CVE-2016-2513.diff
+# CVE-2016-2513.diff
diff -Nru python-django-1.4.5/debian/patches/uri-fix.diff python-django-1.4.22/debian/patches/uri-fix.diff
--- python-django-1.4.5/debian/patches/uri-fix.diff	2016-03-26 00:39:46.000000000 +1100
+++ python-django-1.4.22/debian/patches/uri-fix.diff	2016-08-01 08:00:47.000000000 +1000
@@ -4,9 +4,9 @@
 Subject: Use name that won't resolve in tests.
 --- a/tests/modeltests/validation/tests.py
 +++ b/tests/modeltests/validation/tests.py
-@@ -86,7 +86,7 @@
-         self.assertEqual(None, mtv.full_clean()) # This will fail if there's no Internet connection
+@@ -87,7 +87,7 @@
  
+     @verify_exists_urls(existing_urls=())
      def test_correct_https_url_but_nonexisting(self):
 -        mtv = ModelToValidate(number=10, name='Some Name', url_verify='https://www.example.com/')
 +        mtv = ModelToValidate(number=10, name='Some Name', url_verify='https://www.example.invalid/')

Re: Wheezy update of python-django?

Reply via email to